FreeBSD Server Hardening

After Installing clean FreeBSD Server, it is important to harden the server to enhancce the server security. In general “Hardening” means making some changes on spongy material or surface so that it becomes more stronger than before and harder to disfigurement. Similarly, Hardened servers are more resistant to security issue than the non-hardened servers. Nowadays everything is online and there are a lot of attacks on servers, so server hardening is an absolute must.

Requirements:

Clean FreeBSD Server.

SSH client.

Text editor.

Hardening steps:

Disable Local root Access

The first rule to secure the server is, never treat the root account as a regular user.Always log as a normal user and su to root only when needed.

To prevent Root from directly logging onto your system.

Open “/etc/ttys” and change every occurence of “secure” to “insecure”.

Filesystem Structure:

when we install the default FreeBSD server then the “tmp” directory is at two places – “/tmp” and “/var/tmp”. Delete “/var/tmp” and Create link from “/var/tmp” to “/tmp”.

# mv /var/tmp/* /tmp/
# rm -rf /var/tmp
# ln -s /tmp /var/tmp

SSH Logins

By default, FreeBSD prevents root from logging via ssh, but it gives access to anyone with a valid user account.

Ensure only sshv2 is used for connection purpose. SSHV1 does not provide all the security.Open /etc/ssh/sshd_config.

uncomment the line “Protocol 2” and also uncomment all the hostkeys for protocol version 2.

Ensure server is not running X11. Turn off forwarding for X11.

Again open /etc/ssh/sshd_config file search for “X11Forwarding yes” by default it is commented and default value is “yes”, uncomment the line and change value to “no”.

Disable OS Display.

Restriction on user Access:

The basic rule of the server security is “Restric the read/write and execution of certain files”. Update restricitions of some files. Hit these commands:

Password Rules

By default, FreeBSD uses md5 for password hashing and encryption. But blowfish is much better and secure for passwords. Open /etc/login.conf and make some chages:

> change the password format in the default class to blf.
> Use some password policy like minimum password length and mix upper and lower case.
> Policy to change the password after some days.
> Automatically logout the user if they are idle for specific time.
> Prevent global access by setting the default umask.

Update the login database:

# cap_mkdb /etc/login.conf

Here is my /etc/login.conf file snapshot.

Password will be converted to blowfish after changing the password. Check /etc/master.passwd after changing the password, if hashing with password begins with $2 it means blowfish is being used

Disable Some services:

Open /etc/rc.conf and add following lines:

sendmail_enable="NONE" #Disable sendmail as it insecure MTA.

kern_securelevel_enable="YES"

kern_securelevel="3" #The default kernel level is -1, means not much secure. Use level 2 or 3, 3 is the more secure level.

inetd_enable="NO" # inetd, or the network daemon dispatcher, is insecure so we want to make sure it is disabled.

clear_tmp_enable="YES" #By default in FreeBSD the /tmp directory does not get empty on startup its better to clear /tmp directory at the startup so that there is nothing malicious hanging in temp files.

syslogd_flags="-ss" # Ensure syslogd doesn't bind to a network socket if remote logging is not enabled.

icmp_drop_redirect="YES"
icmp_log_redirect="YES" #ICMP Redirect messages can be used by attackers to lead you to their router or some other router. Ignore those packets and log them.

Kernel States

Change some kernel states and to make permanent open /etc/sysctl.conf file and add the following lines.

security.bsd.see_other_uids=0 #prevent users from seeing information about processes that are being run under another UID.

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1 #these two lines enable the concept of blackholing. This is so RST packets don’t get sent back in response to closed ports. This helps to block port scans.

net.inet.ip.random_id=1 # generate a random ID for the IP packets. This will prevent remote observers from determining the rate packets are being generated by watching the counter.

These are the server hardening steps to secure your production server.